Difference between revisions of "Microsoft Identity Platform"
From MgmtWiki
(→References) |
(→Context) |
||
| (35 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==Full Title== | ==Full Title== | ||
| − | Microsoft Identity Platform allows sign in with a Microsoft personal or work account. | + | [https://docs.microsoft.com/en-us/azure/active-directory/develop/ Microsoft Identity Platform] allows sign in with a Microsoft personal or work account. |
| − | AKA [https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-1.0 Microsoft Graph] in early 2021. | + | AKA [https://docs.microsoft.com/en-us/graph/overview?view=graph-rest-1.0 Microsoft Graph] in early 2021 as a replacement for Azure AD Graph. |
==Context== | ==Context== | ||
* [https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-web-api Aspnet Core Web API] Quickstart | * [https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-aspnet-core-web-api Aspnet Core Web API] Quickstart | ||
| + | Microsoft has their own terminology, the following applies to Azure Active Directory (AAD) [https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/what-is-application-management application management] | ||
| + | {|border="1" padding="2" width="799px" | ||
| + | | Term || Description | ||
| + | |- | ||
| + | | Active Directory || Microsoft's Identity and Access Management (IAM) system | ||
| + | |- | ||
| + | |On Premise || not in Azure | ||
| + | |- | ||
| + | |Portal || A GUI to control an Azure Tenant(s). | ||
| + | |- | ||
| + | | Tenant || A named administrative entity on Azure | ||
| + | |- | ||
| + | |Enterprise App || Named software application that needs to know the identifier for users | ||
| + | |- | ||
| + | |MyApps|| [https://myapplications.microsoft.com A Microsoft site] that list all of the apps you have access to | ||
| + | |- | ||
| + | | SSO || [[Single Sign-On]] is the use of Azure AD for user access to more than one app or API. | ||
| + | |- | ||
| + | |Principal|| An Identifier that owns a running process on Windows. | ||
| + | |- | ||
| + | |User || A [[Principal]] on a computing device, typically a smartphone or laptop. It MIGHT identify a human. | ||
| + | |- | ||
| + | |Conditional Access || Additional annoyance placed in the path of user access to an app. | ||
| + | |- | ||
| + | |User Agent || a software application that interfaces between a human user and the internet. Typically a browser. | ||
| + | |- | ||
| + | |Application Proxy || Any code between your app and AAD. | ||
| + | |- | ||
| + | | OIDC || [[OpenID Connect]] (as well as SAML) is a protocol to access AAD. | ||
| + | |- | ||
| + | |OAuth client || Used synonymously with Relying Party (see RP) | ||
| + | |- | ||
| + | |IdP || Identifier Provideer (may also include attributes or claim of the subject) | ||
| + | |- | ||
| + | | OP || OpenID Provider (one form of IdP) as per [OIDC.Core] | ||
| + | |- | ||
| + | |SIOP || Self-Issued OpenID Provider as per [OIDC.Core] section 7. | ||
| + | |- | ||
| + | |RP || Relying Party, as used in [OIDC.Core] for any website the relies on claims produced by a CP for example an OP. | ||
| + | |- | ||
| + | | CP || Claims provider, Certificate Provider, Credential Provider, Credential Service Provider, etc. | ||
| + | |- | ||
| + | | Identifier Wallet || An application that is under the control and acts on behalf of the key credential holder. aka identity agent. can be a mobile app, browser extension/ plugin etc. | ||
| + | |- | ||
| + | | Trust Authority || A URL endpoint that contains the references that define, inter alia, the operation of the picker and of the wallets | ||
| + | |- | ||
| + | |Trusted Wallet || code trusted by one or more Trust Authorities to protect user secrets and perhaps to validate user presence. | ||
| + | |} | ||
==Problems== | ==Problems== | ||
| Line 14: | Line 62: | ||
Run the [https://gunnarpeipman.com/aspnet-core-windows-iot/ following command] in PowerShell to open port 5000 of board: | Run the [https://gunnarpeipman.com/aspnet-core-windows-iot/ following command] in PowerShell to open port 5000 of board: | ||
netsh advfirewall firewall add rule name=”ASP.NET Core Web Server port” dir=in action=allow protocol=TCP localport=5000 | netsh advfirewall firewall add rule name=”ASP.NET Core Web Server port” dir=in action=allow protocol=TCP localport=5000 | ||
| + | |||
| + | ==Troubleshooting== | ||
| + | *We're unable to complete your request - unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908. | ||
| + | * [https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-management-certs-faq Trouble with Application Management certificates.] | ||
| + | * [https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/app-management-powershell-samples Using powershell with Application Management] | ||
| + | * AADSTS700016: Application with identifier '4ab79763-17de-4d91-a797-69ea667c6cb7' was not found in the directory 'aaaaaaaaa'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant (where the tenant had been set to "common") The error means that there is a mismatch between the tenant where your app is registered and where you have stated in either the application code or the portal that your application is registered. In your code for the application you need to set the tenant ID. This is generally located in either the web.config or the app settings. Then you need to register the application in the portal under the same tenant ID that you have set in your code. Also ensure that your application ID/client ID are matching on both sides and all of the values set in your app settings/web.config match what you have in the portal. | ||
| + | * AADSTS50020: User account 'tom@tomcjones.onmicrosoft.com' from identity provider 'https://sts.windows.net/8b3032c7-772d-4996-9cdf-542bd3c057fb/' does not exist in tenant 'Default Directory' and cannot access the application '647796f4-c852-424d-bc3e-8ff7377b01d5'(TomCJones) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account. << problem tomcjones.on~ had to use the domain name that was provided already in Azure. | ||
| + | |||
| + | ==User Application Development== | ||
| + | * Since this platform is based on [[OpenID Connect]] (OIDC) user applications are considered to be clients ins the sense described in [[OAuth 2.0]]. | ||
| + | * Apps first call PublicClientApp = PublicClientApplicationsBUilder.Create(ClientID).{other options}.Build(). | ||
| + | * call PublicClientApp,GetAccountsAsync() and pick one of the proffered accounts. | ||
==Registration== | ==Registration== | ||
* The Microsoft Graph API offers a single endpoint, https://graph.microsoft.com, to provide access to rich, people-centric data and insights in the Microsoft cloud, including Microsoft 365, Windows 10, and Enterprise Mobility + Security. | * The Microsoft Graph API offers a single endpoint, https://graph.microsoft.com, to provide access to rich, people-centric data and insights in the Microsoft cloud, including Microsoft 365, Windows 10, and Enterprise Mobility + Security. | ||
| + | * [https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent?tabs=azure-portal#grant-admin-consent-to-enterprise-apps-in-the-azure-portal Configure how end-users consent to applications] The guidance "reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, by allowing user consent only for applications that have been published by a verified publisher." was not followed during development and needs to be enabled. | ||
| + | * [https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow Admin consent workflow] allows the user to ask an admin to approve an app. | ||
==References== | ==References== | ||
* [https://docs.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web Microsoft Identity Web authentication library] 2020-10-09 | * [https://docs.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web Microsoft Identity Web authentication library] 2020-10-09 | ||
| + | * [https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello Widows Hardware Developer] for windows hello. Shows how to add biometric device drivers. | ||
* [https://github.com/AzureAD/microsoft-identity-web microsoft.idenity.web] on Github | * [https://github.com/AzureAD/microsoft-identity-web microsoft.idenity.web] on Github | ||
* [https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport Widows Hello] aka Passport. Windows Hello is the name Microsoft has given to the new biometric sign-in system built into Windows 10. | * [https://docs.microsoft.com/en-us/windows/uwp/security/microsoft-passport Widows Hello] aka Passport. Windows Hello is the name Microsoft has given to the new biometric sign-in system built into Windows 10. | ||
Latest revision as of 16:29, 18 April 2021
Contents
Full Title
Microsoft Identity Platform allows sign in with a Microsoft personal or work account.
AKA Microsoft Graph in early 2021 as a replacement for Azure AD Graph.
Context
- Aspnet Core Web API Quickstart
Microsoft has their own terminology, the following applies to Azure Active Directory (AAD) application management
| Term | Description |
| Active Directory | Microsoft's Identity and Access Management (IAM) system |
| On Premise | not in Azure |
| Portal | A GUI to control an Azure Tenant(s). |
| Tenant | A named administrative entity on Azure |
| Enterprise App | Named software application that needs to know the identifier for users |
| MyApps | A Microsoft site that list all of the apps you have access to |
| SSO | Single Sign-On is the use of Azure AD for user access to more than one app or API. |
| Principal | An Identifier that owns a running process on Windows. |
| User | A Principal on a computing device, typically a smartphone or laptop. It MIGHT identify a human. |
| Conditional Access | Additional annoyance placed in the path of user access to an app. |
| User Agent | a software application that interfaces between a human user and the internet. Typically a browser. |
| Application Proxy | Any code between your app and AAD. |
| OIDC | OpenID Connect (as well as SAML) is a protocol to access AAD. |
| OAuth client | Used synonymously with Relying Party (see RP) |
| IdP | Identifier Provideer (may also include attributes or claim of the subject) |
| OP | OpenID Provider (one form of IdP) as per [OIDC.Core] |
| SIOP | Self-Issued OpenID Provider as per [OIDC.Core] section 7. |
| RP | Relying Party, as used in [OIDC.Core] for any website the relies on claims produced by a CP for example an OP. |
| CP | Claims provider, Certificate Provider, Credential Provider, Credential Service Provider, etc. |
| Identifier Wallet | An application that is under the control and acts on behalf of the key credential holder. aka identity agent. can be a mobile app, browser extension/ plugin etc. |
| Trust Authority | A URL endpoint that contains the references that define, inter alia, the operation of the picker and of the wallets |
| Trusted Wallet | code trusted by one or more Trust Authorities to protect user secrets and perhaps to validate user presence. |
Problems
- The package Microsoft.Identity.Web requires that a new trusted signer key is added to nuget.config (2020-10-06). The following command fixed this.
nuget.exe trusted-signers Add -Name Microsoft2021 -CertificateFingerprint AA12DA22A49BCE7D5C1AE64CC1F3D892F150DA76140F210ABD2CBFFCA2C18A27 -FingerprintAlgorithm SHA256
Install and Run
Run the following command in PowerShell to open port 5000 of board:
netsh advfirewall firewall add rule name=”ASP.NET Core Web Server port” dir=in action=allow protocol=TCP localport=5000
Troubleshooting
- We're unable to complete your request - unauthorized_client: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
- Trouble with Application Management certificates.
- Using powershell with Application Management
- AADSTS700016: Application with identifier '4ab79763-17de-4d91-a797-69ea667c6cb7' was not found in the directory 'aaaaaaaaa'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant (where the tenant had been set to "common") The error means that there is a mismatch between the tenant where your app is registered and where you have stated in either the application code or the portal that your application is registered. In your code for the application you need to set the tenant ID. This is generally located in either the web.config or the app settings. Then you need to register the application in the portal under the same tenant ID that you have set in your code. Also ensure that your application ID/client ID are matching on both sides and all of the values set in your app settings/web.config match what you have in the portal.
- AADSTS50020: User account 'tom@tomcjones.onmicrosoft.com' from identity provider 'https://sts.windows.net/8b3032c7-772d-4996-9cdf-542bd3c057fb/' does not exist in tenant 'Default Directory' and cannot access the application '647796f4-c852-424d-bc3e-8ff7377b01d5'(TomCJones) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account. << problem tomcjones.on~ had to use the domain name that was provided already in Azure.
User Application Development
- Since this platform is based on OpenID Connect (OIDC) user applications are considered to be clients ins the sense described in OAuth 2.0.
- Apps first call PublicClientApp = PublicClientApplicationsBUilder.Create(ClientID).{other options}.Build().
- call PublicClientApp,GetAccountsAsync() and pick one of the proffered accounts.
Registration
- The Microsoft Graph API offers a single endpoint, https://graph.microsoft.com, to provide access to rich, people-centric data and insights in the Microsoft cloud, including Microsoft 365, Windows 10, and Enterprise Mobility + Security.
- Configure how end-users consent to applications The guidance "reduce the risk of malicious applications attempting to trick users into granting them access to your organization's data, by allowing user consent only for applications that have been published by a verified publisher." was not followed during development and needs to be enabled.
- Admin consent workflow allows the user to ask an admin to approve an app.
References
- Microsoft Identity Web authentication library 2020-10-09
- Widows Hardware Developer for windows hello. Shows how to add biometric device drivers.
- microsoft.idenity.web on Github
- Widows Hello aka Passport. Windows Hello is the name Microsoft has given to the new biometric sign-in system built into Windows 10.
- Create a Windows Hello login app using UWP & XAML
